Abstract

Before designing safety- or mission-critical real-time systems, a
specification of the required behavior of the system should be produced
and reviewed by domain experts. After the system has been implemented,
it should be thoroughly tested to ensure that it behaves correctly.
This is best done using a monitor, a system that observes the behavior
of a target system and reports if that behavior is consistent with
the requirements. Such a monitor can be used both as an oracle during
testing and as a supervisor during operation. Monitors should be based
on the documented requirements of the system.

If the target system is required to monitor or control real-valued
quantities, then the requirements, which are expressed in terms
of the monitored and controlled quantities, will allow a range of
behaviors to account for errors and imprecision in observation and
control of these quantities. Even if the controlled variables are
discrete valued, the requirements must specify the timing tolerance.
Because of the limitations of the devices used by the monitor to observe
the environmental quantities, there is unavoidable potential for false
reports, both negative and positive.

This paper discusses design of monitors for real-time systems, and
examines the conditions under which a monitor will produce false
reports. We describe the conclusions that can be drawn when using a
monitor to observe system behavior.